[Gmod-ajax] JBrowse - access control docs incomplete

On 13 Jun 2016, at 02:28, Raymond Wan <[hidden email]> wrote:

Hi Keiran,

I'm not sure if someone more experienced replied to you yet.  But for
what it's worth, this is what I did with CAS.

It looked like everything that JBrowse does is within index.php .
(Someone correct me if I'm wrong.)  So, if I put an

<?php
if (authenticated) {
 //  All this from index.php
?>
   <div id="GenomeBrowser" style="height: 100%; width: 100%; padding:
0; border: 0;"></div>
   <div style="display: none">JBrowseDefaultMainPage</div>
<?php
}
else {
 //  Show some error message and redirect to a CAS login page
}
?>

The "authenticated" part is where I call a CAS-based function that
returns a Boolean variable.  I presume you can replace that with
something that queries an SQL database and/or a cookie.  (Many web
pages describe how to do this better than I can.)

I mentioned before that I didn't know if this was fool-proof.  I don't
know if someone can bypass this page to see the data.  It's on my
to-do list...


On Wed, Jun 8, 2016 at 9:31 PM, Keiran Raine <[hidden email]> wrote:

Can someone please provide more information as to how you get JBrowse to require a login cookie.  The docs linked don’t give any information:

http://gmod.org/wiki/JBrowse_Configuration_Guide#Authentication_and_Access_Control

I just need to know:

How do I tell JBrowse that it should be checking for a login (I assume there’s a config value to be set)
What value needs to be set in the cookie (I can see the cookie and that it has picked up my manually configured ‘documentDomain’)

What I said above wasn't quite what you were looking for.  If there is
something built-in that can be turned on by setting a value in
jbrowse.conf (for example), that would be cool.

HTTP Basic authentication might be better since you can request a
password for every file within a directory.  I chose CAS instead
because  I didn't want to manage user accounts...

Ray

On 13 Jun 2016, at 17:04, Raymond Wan <[hidden email]> wrote:

Hi Keiran,


On Mon, Jun 13, 2016 at 9:09 PM, Keiran Raine <[hidden email]> wrote:

With your initial pointer I'm taking a look at phpCAS and will get back to
the list once I have a more detailed example.

https://github.com/Jasig/phpCAS/

Just waiting for confirmation of our CAS server details so I can start
testing...

If you are using CAS, then I can do a bit better and fill in the
blanks for you.  I wasn't purposely withholding information -- after
all, I worked out what I had to do from the phpCAS examples.  But, I
figured if you weren't using CAS, then I shouldn't bore you with the
details.

Of course, the standard disclaimer applies -- I didn't really know
what I was doing, so if you (or anyone else here) sees an obvious bug,
please let me / us know.  Our data isn't [at the moment] highly
secretive, so I can be a little slack for now.

Indeed, my starting point was this:
https://wiki.jasig.org/display/CASC/phpCAS .  Alternatives using
Apache's mod_auth_cas, Java, and Perl's AuthCAS module were also
suggested by our administrators.

In short, this is index.php, which was a modification of JBrowse's
index.html.  XXX-about.php gives information about our JBrowse
instance.  config.php is the same as the phpCAS example and CAS.php is
from the phpCAS library.  You'll need to plug in values into
config.php .


-----
<?php

// Load the settings from the central config file
require_once 'config.php';
// Load the CAS lib
require_once $phpcas_path . '/CAS.php';

// Enable debugging
// phpCAS::setDebug();

// Initialize phpCAS
phpCAS::client (CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);

// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
phpCAS::setCasServerCACert ($cas_server_ca_cert_path);

// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
// phpCAS::setNoCasServerValidation();

if (isset($_REQUEST['logout'])) {
   phpCAS::logout();
}
if (isset($_REQUEST['login'])) {
   // handle incoming logout requests
   phpCAS::handleLogoutRequests (true);
   phpCAS::forceAuthentication ();
}

// check CAS authentication
$auth = phpCAS::checkAuthentication();

?>
<!DOCTYPE html>
<html>
 <head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <title>JBrowse</title>
   <link rel="stylesheet" type="text/css" href="css/genome.css">
   <script type="text/javascript">
   ...SAME AS BEFORE...
   </script>
   <script type="text/javascript" src="src/dojo/dojo.js"></script>
   <script type="text/javascript" src="src/JBrowse/init.js"></script>
   <script type="text/javascript">
   ...SAME AS BEFORE...
   </script>
 <title>XXX</title>
 </head>

 <body>
<?php
if ($auth) {
       ?>
   <div id="GenomeBrowser" style="height: 100%; width: 100%; padding:
0; border: 0;"></div>
   <div style="display: none">JBrowseDefaultMainPage</div>

   <p><a href="XXX-about.php" target="_blank">About this genome browser</a></p>

   <p>Currently logged in as:  <strong><?php echo phpCAS::getUser();
?>@XXX</strong>.</p>
   <p><a href="https://XXX.authsite.XXX/cas/logout?url=http://XXX.mysite.XXX/jbrowse/">Logout</a>
(Closing the browser is also required.)</p>

   <?php
} else {
                                       ?>
   <h1>XXX</h1>

   <h2>Authentication Required</h2>
   <p>Access to the system requires you to authenticate yourself with
the our Central Authentication Service:</p>
   <p><a href="?login=">Login</a></p>
   <p>You can logout using the link at the <strong>bottom</strong> of
the genome browser, followed by closing your web browser.</p>
   <?php
}
                                     ?>
 </body>
</html>
-----


Perhaps it's somewhat obvious, but I started off with a "Hello World"
that demonstrated authentication was working.  After that, it was a
matter of just combining that with JBrowse's index.html .

I hope this helps!

Ray